Okta doesn’t know anything about our separate accounts. We created our Identity Provider in a main account and configured Okta to connect to it. Then, in each of our sub-accounts we have created roles that the can be assumed by the roles in our main account using Trust Relationships in the IAM settings.
Users SSO in via Okta and are placed within the main account. They can then use the “Switch Role” feature in the username menu.
Here are some links that were helpful for setting things up:
You can use IAM roles to delegate access to your AWS resources. With IAM roles, you can establish trust relationships…docs.aws.amazon.com